Time
5 hours 31 minutes
Difficulty
Advanced
CEU/CPE
6

Video Description

This lesson opens with the reasons for software insecurity. Software insecurity can be attributed to the following reasons: • Lack of training • Lack of funding • No prioritization of security • Security as an afterthought There are a number of vulnerability databases which are great resources the address the issue of software insecurity, they include: • Open Web Application Security Project Top 10 (OWASP) • Common Vulnerabilities and Exposure (CVE) • Common Weakness Enumeration (CWE) • National Vulnerability Database (NVD) • Computer Emergency Response Team Vulnerability Database (US CERT) This lesson specifically focuses on OWASP 1 through 5. OWASP is an international organization with the goal of raising awareness and stress the need for security in web based applications. The top 5 are: • Injection • Broken authentication and session management • Cross site scripting (XSS) • Insecure direct object references • Security misconfiguration

Video Transcription

00:04
okay, so that we've agreed that software today is as a general rule unsecure. It's not written to be secure, it's written to function, and then often security is handled after the fact,
00:16
if it's handled it all. So let's look at some of the resource is that we have so that we can address this problem. You know, sometimes we don't have the power to go back and rewrite the software securely. So what can we do? Well, we can monitor. We can make ourselves aware off the vulnerabilities and do the best that we can to mitigate
00:36
those.
00:36
Also, in moving forward with the software that we do develop, we can be conscious of thes vulnerabilities of these threats so that we can write better code.
00:47
So when we talk about being aware of what's out there, you know, where are the dangers? Oh, wasp for Web applications, Security really is one of the best organizational groups that you can work with. It's the open Web Applications security project
01:02
and on their Web page on their Web site. They have just a wealth of information about vulnerabilities directed at Web applications. They also publish a top 10 vulnerabilities list, and it's really worth taking a look at which will do in a few minutes because it walks through some of the more common mistakes that are made
01:22
by developers
01:23
in some of the more common exploits that we see from an attack perspective. So all WASP, it's really good to look at. There's also the C V E common vulnerabilities and exploit database. There's a seat W E, which is common weakness in new Marais Shin, which again it's just a list. Enumeration just means listing
01:42
a listing of some of the common weaknesses that are out there.
01:46
There's also ah, National Vulnerability database. There's us cert you know, if you're looking for elements more involved with government computers, but these are just a handful of resource. Is there many that are out there? But these are very, very good
02:00
now. As I mentioned, a WASP is really one of the best places to go. If you're gonna be working with
02:06
Web applications to really make sure that we understand the vulnerabilities and how we can limit the damage through these vulnerabilities, a WASP is international and it's a non profit organization again. Open Web Applications Security Project
02:22
and one of the best things that they do. Forces published the top 10 list that gives us an overview of the most commonly orchestrated security attacks on Web applications.
02:35
So here's our A WASP Top 10 now tell you for a test taking perspective. They will not ask you, you know, based on a lost 2013 top 10. And by the way, that is the most current that's out. Now. What is Number five? You know, you don't have to know these in order,
02:53
but I would very much be able to explain at a relatively high level
02:57
what each of these types of attacks are. So an injection attack, a cross site scripting attack, Miss configuration and so on. So let's go ahead and look at each of thes. And let's talk about mitigating strategies as much as we can. So the very most common, um,
03:15
attack on whether applications is code injection,
03:19
whether its sequel injection L dap injection, whatever the protocol that's being exploited is code injection is really code injection. You know, it's really the same thing. The bottom line is often toe add additional functionality to a user's Web experience.
03:38
We allow them to input information,
03:39
we might query the user's for their input, their information there, their preferences. You know, we might ask them we might you ask a user for their name so that the second Web page can read. Welcome, Kelly.
03:55
So any of these elements, anything that's input goes to the back end database.
04:02
So if we've all heard the phrase garbage in garbage out, so if instead, when it says Please enter your name. If I enter a command that revolves around the idea of dropping the table in a sequel database, well, that's gonna have a very obviously very negative effect on the backend.
04:20
So we refer to that as code injection, where I'm injecting code
04:25
into user forms and the user forms are asking for, you know, very basic, straightforward, legitimate information. But if there's no form of input validation, I can enter code into those entry points and have that code run in the back in database. So that's a big deal.
04:43
So some ways that we can mitigate
04:45
and really the easy answer on the test is you mitigate code injection through input validation.
04:51
But just like anything else, it really has to be a balanced in a layered approach to limit the damage with code injection. One of the things that will use his data typing. So we very strictly will that a type are entries, airfields within our form. So, for instance, if I ask you for the day
05:10
ah, you shouldn't be entering the alphabet into a date field. We should date a type that a state time.
05:15
Um,
05:16
another thing that we can do is we can limit that length of input. So for your last name, I'm not gonna give you 500 characters. I'll give you 10 characters. And if your last name is longer than 10 characters, it'll be truncated,
05:30
um,
05:31
for state name. I'm not gonna give you 100 characters to type out the name of your state. I'm gonna give you two characters.
05:39
And if I'm really smart rather than giving you two characters, I'm just gonna have you pulled the name of your state from a drop down menu because that gives you less chance to input hostile data or any sort of code. So
05:54
with all of that happening, that's part of input validation. But then we also before taking what's in these forms and passing them along to the back in database. There should be additional inspection, and that usually comes from our CG I script are common gateway interface.
06:11
And if you remember throughout class, we've talked about
06:14
untrusted should never access trusted except through an interface. And it's the job of that interface to make sure that Onley proper information's being passed along to the backend database. So one of the biggest threats today against databases is code injection. It takes lots of extra work
06:32
to do the input validation,
06:34
but it's certainly worth it
06:36
now, the next one broken authentication in session management. This isn't a specific type of attack in that there are lots of ways this can happen. Really. What this is saying is poor authentication and poor session management,
06:50
for instance, wind does a session expire,
06:56
and if a session, uh, doesn't expire after two minutes off of no use or in activity, would it be possible for me? Is an attacker to pick up on that session that's already been created
07:13
and kind of step in? Ah, sort of like a man in the middle attack? I don't know. Yeah, you know, it makes me think about landlines. You know, if somebody's on the phone and goes toe, hang up. If I can pick up that other phone line before they hang up, I'm now on the call and I can start and impersonate the original user.
07:32
So that's kind of an export. That could happen with session management. If that doesn't work properly,
07:38
we gotta make sure that tokens are stored in plain text Session ID's. Um, we want to make sure that passwords were protected. We're not sending passwords across the network in plain text. We have to make sure that when we are authenticating,
07:54
that we authenticate well and that we have good information implementation
07:59
so that these identities and this authentication information is not compromised. All right, Number three cross site scripting and you'll notice a lot of thes attacks go together because cross site scripting really takes advantage of websites that don't do input validation.
08:16
So once again, we go to that idea off. The website's gonna ask you, so you go to visit. Um,
08:22
uh, you know, the
08:24
banking, your banking page or doesn't even have to be a secure website. Let's say that you go to visit
08:31
uh, you've got an account with your local news organization on their website and you log in and they show you the news that you've selected. That's of interest to you. So when you go to this website, it asks you to enter your name.
08:46
Well,
08:46
if I can inner code
08:50
into that space where it says enter your name, if I can enter some sort of malicious code, what's gonna happen is the second page that's going to see if I can explain this better. Um,
09:03
so what's input on the first page is gonna be played back on the second page. So basically the first website, the first page that I visit with the website, says, Please enter your name and I enter my name Kelly Hander hand. Then that takes me to a second Web page that says, Welcome Kelly Hander hands.
09:22
So on the first site, where it says enter your name
09:26
if instead of the name, I could enter a script, a malicious JavaScript that's called in that runs some sort of malicious activity, Um, then you could be sent to that Web page on knowing, and that second side, or that second page could wrap around in the script could run in your browser.
09:46
So, for instance, I send you a phishing email
09:48
that takes you to a site that's been compromised and that malicious code has already been entered and because of the way cross site scripting works and because of the fact that that website doesn't do input validation, that malicious script, it's actually called and run within your browser.
10:05
I hope that makes sense because cross site scripting is a really,
10:09
really common type of attack. So basically, what it does is for applications that for Web apps that don't do proper input validation can redirect you to a malicious site that runs a script or some other malicious activity to wrap around and run in your browser. And a lot of times, your phishing emails
10:28
take advantage of cross site scripting. Or
10:31
that's their purpose. Click on this link in order to change your password or click on this link in order to visit such and such sight. And when you click on that link, that takes you to the compromise page where the script runs,
10:46
Uh, and you know the way our Web sites run is our Web browsers process
10:52
the source code of the website. So if that source code calls a malicious script that's automatically running their browser, so cross site scripting is a big deal. It's something that
11:05
is very difficult from a client standpoint to resolve because it really takes advantage of websites that air poorly written.
11:13
So if I goto a poorly written and designed website, I don't have a lot of control over that cross site scripting. So we have to be very careful about which websites we do go to. And we have to have that degree of trust that the websites are well written.
11:28
If a website does not perform, input validation than cross site scripting can very readily happen and could be very, very effect.
11:35
All right, our next, um number four for common attacks insecure direct object references.
11:46
So to give you an example, let's say that I pull a query of sales figures and let's say that I was authorized as an individual toe access sales figures from January to March. I'm not authorized to access make April forward, but I am authorized to access January through March,
12:05
so I go to view the sales figures for January and I type in my credentials. It allows me to access January
12:11
now up in the u. R L. I can see where it says, Um, response equals Jan. So that tells me it's showing me a response from January.
12:22
Well, if I changed Jan.
12:24
Toe April a. P. R. Or to September, some other element. What I'm doing is I'm referencing an object that maybe I don't have access for. But if the parameters air not verified by the website, then I may still be able to access an object
12:43
for which I really shouldn't have access
12:46
just by manipulating the parameters in the u. R L. And we refer to that as insecure direct object reference. Now, if you're thinking what I am, some of these things would be really easy.
12:58
Um, toe limit. And that's true. But once again, we're not asking our developers to write secure code. We're not asking our developers to think off the vulnerabilities and the expected threats. We're asking them to write ah, Web page, a website that will sell our product, and that's where
13:18
our focus has been.
13:20
So when we talk about manipulating these parameters, we may be ableto manipulate the parameters in the URL to gain access to other sites or perhaps escalator privileges. Access resource is for which we shouldn't be allowed. And we refer to that as direct object references
13:37
because we're directly manipulating the u. R L toe access thes object references
13:41
rather than going through the more legitimate path of clicking on links or navigating through the website
13:48
and then the fifth most common vulnerability associate with Web applications security, Miss Configurations And that's a very broad topic. There are a 1,000,000 ways that we can miss configure our database application.
14:03
You know, we can leave default settings. You know Default settings for websites usually allow anonymous access because usually for a Web server, when we set up a website, we want people to be able to access that website and buy our product or learn about our company
14:22
without having to provide a whole lot of credentials or jump through a lot of hoops.
14:26
Well, that's a default configuration setting. We need to think about changing those default configuration settings. We need to think about getting away from default settings of any type, you know, we need to think about requiring for more secure environments, user name and password,
14:43
or integrating authentication with certificates.
14:46
We need to think about making sure that default settings were removed, that we don't have that administrator account with a password, a password, just those security basic miss configurations that we make without
15:01
thinking about defensive coating. So there's a very general topping a very general term,
15:07
but just the basics of not following good security principles. That's issue number five.

Up Next

ISC2 Certified Cloud Security Professional (CCSP)

This online course will guide you through the contents of the CCSP certification exam. Obtaining your CCSP certification shows that you are a competent, knowledgeable, cloud security specialist who has hands-on experience in the field.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor